<?php

// Provides a relatively safe way to test page permissions.
// Note that upon updating this, that view/tags.php needs updating as well,
//      as it violates the security.
class folio_page_permission {

//////////////////
//              //
//  SQL Layer   //
//              //
//////////////////

/**
* Retrieve all of the allowable permission types for the passed userid
* @param int $userid -1 is a valid option, just sets to public permissions.
**/
public function permissionlist( $userid ) {
    global $CFG;

    if ( $userid == -1 ) {
        return array('PUBLIC', 'MODERATED');
    }

    // Default permissions already availabled to logged-in users.
    $list = array('PUBLIC', 'LOGGED_IN', 'MODERATED');

    // Find values for joined communities.
    $communities = recordset_to_array(get_recordset_sql(
        "SELECT distinct u.ident as i, u.ident FROM " . $CFG->prefix . "friends e inner join " .
            $CFG->prefix . "users u on e.friend = u.ident where e.owner=$userid and user_type = 'community'"));

    if ( $communities) {
        foreach ( $communities as $community) {
            $list[] = 'community' . $community->ident;
        }
    }

    // Find values for owned communities
    $communities = recordset_to_array(get_recordset_sql(
        "SELECT DISTINCT ident as username, ident FROM " . $CFG->prefix . "users where owner = $userid"));

    if ( $communities ) {
        foreach ( $communities as $community ) {
            $list[] = 'community' . $community->username;
        }
    }

    // Find values for joined groups.
    $groups = recordset_to_array(get_recordset_sql(
        "SELECT distinct g.ident as i, g.ident FROM " . $CFG->prefix . "group_membership m inner join " .
            $CFG->prefix . "groups g on m.group_id = g.ident where m.user_id=$userid "));

    if ( $groups) {
        foreach ( $groups as $group) {
            $list[] = 'group' . $group->ident;
        }
    }

    // Find values for owned groups
    $groups = recordset_to_array(get_recordset_sql(
        "SELECT DISTINCT ident as i, ident FROM " . $CFG->prefix . "groups where owner = $userid"));

    if ( $groups ) {
        foreach ( $groups as $group ) {
            $list[] = 'group' . $group->ident;
        }
    }

    // Add user{$userid} for stuff set to private for the specified user.
    $list[] = 'user' . $userid;


    return $list;
}

    /**
     * This can only be called after $page is in the database, as it requires a real
     *     id number.
     *
     * @param folio_page $page;
     * @param string $level;
     * @return bool
     */
    public function Update( $page, $level ) {

        if ( !$page OR !$page->page_ident == -1 ) {
            trigger_error('page_permission::Update requires for page to be set', E_USER_ERROR);
        }

        // Grab existing permissions.
        $permissions = folio_page_permission::SelectWherePageIdent( $page->page_ident );

        // Go to first permission record.
        if( !$permissions ) {
            // No existing. Insert
            $i = new StdClass();
            $i->security_ident = $page->page_ident;
            $i->user_ident = -1;
            $i->accesslevel = $level;
            insert_record('folio_page_security',$i);
        } else {
            // Existing, update.
            set_field('folio_page_security', 'accesslevel', $level, 'security_ident', $page->page_ident);
        }

        // Ensure that the page has security_ident = page_ident.  If not, update.
        if( $page->page_ident != $page->security_ident ) {
            $page->security_ident = $page->page_ident;
            $page->Update();
        }

        return true;
    }


    /**
     * Return security records for the page.
     *
     * @param int $page_ident
     * @return unknown
     */
    public function SelectWherePageIdent( $page_ident ) {
        return folio_page_permission::folio_page_security_select( $page_ident );
    }

    /**
     * Returns the most permissive permission level for the page.
     * Not best design, as most things should be routed through Permission()
     * However, needed for RSS stuff.
     *
     * @param unknown_type $page_ident
     */
    public function SelectHighestWherePageIdent( $page_ident ) {
        // At the moment, there's only a single access level for each object.
        //    Just return that.
        $accesslevels = folio_page_permission::SelectWherePageIdent($page_ident);

        if( !!$accesslevels ) {
            foreach( $accesslevels as $level ) {
                return $level->accesslevel;
            }
        } else {
            return "private";
        }
    }

    /**
    * Retrieve a page's security records.
    *
    * @param int $page_ident
    * @return array of MYSQL record in array form..
    **/
    private function folio_page_security_select( $page_ident ) {
        global $CFG;

        // Create a fake first column to satisfy ADODB's requirement of a unique first field.
        $permissions = recordset_to_array(
            get_recordset_sql( "SELECT CONCAT(user_ident, '.', security_ident) jointkey, " .
                'user_ident, security_ident, accesslevel FROM ' . $CFG->prefix .
                'folio_page_security WHERE ' .
                "security_ident = $page_ident ORDER BY user_ident" ) );

        return $permissions;
    }
}

?>
